In SuiteCRM v7.12.4, affecting Users Module, any user with the User Type as Regular User could modify other users profiles via the update profile section. The prerequisite of this attack is by knowing the user record (ID) and username (User Name) respectively. The user records (ID) can be obtained in the employee section while the username (User Name) could be obtained via exporting employee records bug. The impact could lead to account take over due to the ability to modify related data in the update profile section including email and mobile numbers.
1 POST http://{HOST}/index.php, parameter record
& user_name
2 POST http://{HOST}/index.php
~
1 Login as a user with regular user role.
2 Go to profile section > Intercept request with burp suite > Click save button
3 Change record
parameter to victim record such as 1
for the default admin
4 Change user_name
parameter to admin
for default admin.
5 Modify other information such as email or phone number if any and click forward request in burp.
6 Observe the changes in the admin profile.
~
Request file: Modify other user profile via the update profile section., pwd:7Ty6DfTmuc4
Request file: Downgrade Role from Admin to Regular user , pwd:7Ty6DfTmuc4
This vulnerability is capable of modifying someone else’s account, by providing its unique identifier.